b'                     AUDIT REPORT\n\n                     Audit of NRC\xe2\x80\x99s Integrated Personnel\n                               Security System\n\n                        OIG-06-A-06     January 9, 2006\n\n\n\n\nAll publicly available OIG reports (including this report) are accessible through\n                              NRC\xe2\x80\x99s Web site at:\n             http:/www.nrc.gov/reading-rm/doc-collections/insp-gen/\n\x0c                            January 9, 2006\n\n\nMEMORANDUM TO:              Luis A. Reyes\n                            Executive Director for Operations\n\n\n\nFROM:                       Stephen D. Dingbaum /RA/\n                            Assistant Inspector General for Audits\n\n\nSUBJECT:                    AUDIT OF NRC\xe2\x80\x99S INTEGRATED PERSONNEL\n                            SECURITY SYSTEM (OIG-06-A-06)\n\n\nAttached is the Office of the Inspector General\xe2\x80\x99s (OIG) audit report titled, Audit of\nNRC\xe2\x80\x99s Integrated Personnel Security System (IPSS).\n\nThe audit found that while many IPSS users report that the system is easier to\nuse than its predecessor systems and provides more functionality, IPSS does not\nperform in accordance with its required operational capabilities. Specifically,\n\n       \xc2\xbe The system is not fully functional.\n       \xc2\xbe System data is inaccurate and missing.\n       \xc2\xbe System checks to ensure data accuracy and correspondence between\n         related data items are inadequate.\n       \xc2\xbe Security measures are inadequate or missing.\n       \xc2\xbe IPSS lacks a records disposition schedule.\n\nThis report makes 17 recommendations to strengthen the Integrated Personnel\nSecurity System.\n\nDuring an exit conference on December 22, 2005, NRC officials provided\ninformal comments concerning the draft audit report. These comments have\nbeen incorporated, as appropriate, in our final report.\n\nIf you have any questions, please call Beth Serepca at 415-5911 or me at\n415-5915.\n\nAttachment: As stated\n\x0cElectronic Distribution\n\nJohn T. Larkins, Executive Director, Advisory Committee on Reactor\n Safeguards/Advisory Committee on Nuclear Waste\nG. Paul Bollwerk, III, Chief Administrative Judge, Atomic Safety and\n Licensing Board Panel\nKaren D. Cyr, General Counsel\nJohn F. Cordes, Jr., Director, Office of Commission Appellate Adjudication\nJesse L. Funches, Chief Financial Officer\nJanice Dunn Lee, Director, Office of International Programs\nRebecca L. Schmidt, Director, Office of Congressional Affairs\nEliot B. Brenner, Director, Office of Public Affairs\nAnnette Vietti-Cook, Secretary of the Commission\nLuis A. Reyes, Executive Director for Operations\nWilliam F. Kane, Deputy Executive Director for Reactor\n  and Preparedness Programs, OEDO\nMartin J. Virgilio, Deputy Executive Director for Materials, Research,\n  State and Compliance Programs, OEDO\nJacqueline E. Silber, Deputy Executive Director for Information Services\n   and Administration, and Chief Information Officer, OEDO\nWilliam M. Dean, Assistant for Operations, OEDO\nTimothy F. Hagan, Director, Office of Administration\nMichael R. Johnson, Director, Office of Enforcement\nGuy P. Caputo, Director, Office of Investigations\nEdward T. Baker, Director, Office of Information Services\nJames F. McDermott, Director, Office of Human Resources\nCorenthis B. Kelley, Director, Office of Small Business and Civil Rights\nJack R. Strosnider, Director, Office of Nuclear Material Safety and Safeguards\nJames E. Dyer, Director, Office of Nuclear Reactor Regulation\nCarl J. Paperiello, Director, Office of Nuclear Regulatory Research\nJanet R. Schlueter, Director, Office of State and Tribal Programs\nRoy P. Zimmerman, Director, Office of Nuclear Security and Incident Response\nSamuel J. Collins, Regional Administrator, Region I\nWilliam D. Travers, Regional Administrator, Region II\nJames L. Caldwell, Regional Administrator, Region III\nBruce S. Mallett, Regional Administrator, Region IV\n\x0c                                      Audit of NRC\xe2\x80\x99s Integrated Personnel Security System\n\n\n\nEXECUTIVE SUMMARY\n\n       BACKGROUND\n\n       The Nuclear Regulatory Commission (NRC) Division of Facilities\n       and Security (DFS) administers NRC\xe2\x80\x99s facility and personnel\n       security programs. Its responsibilities include making\n       determinations concerning security clearances and access,\n       administering the drug testing program, and physically protecting\n       NRC facilities.\n\n       In September 2002, DFS initiated a contract to develop a new\n       integrated computer system to support NRC\xe2\x80\x99s personnel and facility\n       security programs. This new Integrated Personnel Security System\n       (IPSS) was expected to replace several DFS information\n       technology systems. Although IPSS was deployed in October 2003\n       and DFS staff use the system daily to manage the personnel and\n       facility security programs, development is still underway.\n\n       PURPOSE\n\n       The objective of this audit was to determine if IPSS meets its\n       required operational capabilities.\n\n       RESULTS IN BRIEF\n\n       Although many IPSS users report that the system is easier to use\n       than its predecessor systems and provides more functionality, IPSS\n       does not perform in accordance with its required operational\n       capabilities. Specifically,\n\n          \xc2\xbe The system is not fully functional.\n          \xc2\xbe System data is inaccurate and missing.\n          \xc2\xbe System checks to ensure data accuracy and\n            correspondence between related data items are inadequate.\n          \xc2\xbe Security measures are inadequate or missing.\n          \xc2\xbe IPSS lacks a records disposition schedule.\n\n       IPSS Is Not Fully Functional\n\n       Despite contract requirements for the following system\n       functionalities, IPSS (1) does not provide a complete list of\n       employees and contractors due for clearance or access\n       reinvestigation, (2) does not provide drug testing management\n       capabilities, (3) has not provided reliable report-generating\n       capabilities to enable DFS staff to make quality assurance\n       determinations, and (4) does not allow for the deletion of records.\n\n                                  i\n\x0c                                Audit of NRC\xe2\x80\x99s Integrated Personnel Security System\n\n\n\n\nThese problems exist because NRC did not follow the agency\nstandard system development life cycle process, and the system\nwas deployed before development was complete. As a result, DFS\nstaff lack IPSS reports to ensure the effectiveness of the security\nprogram, must maintain duplicate systems for drug testing and\nbadge management, cannot delete flawed records from IPSS, and\ncannot determine with confidence when and at what cost the\nsystem will be fully functional.\n\nData Inaccurate and Missing\n\nKey information within the IPSS system is inaccurate, missing, or\nincorrectly displayed. Of 262 files analyzed by the Office of the\nInspector General (OIG), 119 files contained one or more data\nerrors. These errors occurred because DFS management did not\nprovide users with adequate guidance and have implemented\ninadequate quality control procedures. Without accurate IPSS\ndata, DFS cannot ensure that reinvestigations are performed in a\ntimely manner, as required.\n\nIPSS Checks Are Inadequate\n\nIPSS lacks required system checks to assure correspondence\nbetween (1) badge type and clearance type and (2) clearance type\nand investigation type. The system also lacks logical date checks\nto ensure data accuracy. These issues exist because problems\nwith system checks were not identified during user acceptance\ntesting and because too few checks were included in system\nrequirements documents. This lack of checks could result in the\ndisclosure of classified information to those unauthorized for such\naccess; it has already resulted in the issuance of incorrect badges\nto two NRC employees and in IPSS data errors.\n\nSystem Security Measures Inadequate or Missing\n\nIPSS does not follow several important security practices outlined\nin its security plan, including assigning users with the least amount\nof access needed to perform their job, having the capability to\nidentify when and how the system is used, and having users sign\nan integrity statement. IPSS security measures are inadequate\nbecause DFS managers performed ineffective oversight of system\nrole assignments and were unaware of the risks posed by a lack of\naudit trails and an integrity statement. As a result of these\nshortcomings, personnel security information is vulnerable to\nmisuse, both intentional and unintentional.\n\n\n\n                           ii\n\x0c                            Audit of NRC\xe2\x80\x99s Integrated Personnel Security System\n\n\n\nIPSS Lacks Records Disposition Schedule\n\nIPSS lacks a records disposition schedule because the Office of\nInformation Services (OIS) failed to inform DFS of this need during\nthe system development process. As a result, the system is not in\ncompliance with Federal records retention requirements.\n\nRECOMMENDATIONS\n\nThis report makes 17 recommendations to better insure IPSS\nmeets its operational requirements. A consolidated list of\nrecommendations appears on pages 23-24 of this report.\n\nAGENCY COMMENTS\n\nAt an exit conference held on December 22, 2005, NRC officials\ngenerally agreed with the report\xe2\x80\x99s findings and recommendations\nand provided comments concerning the report. In addition, they\nstated that they were aware of problems with IPSS prior to\nreceiving the draft report. We modified the report as we determined\nappropriate. NRC reviewed these modifications and opted not to\nsubmit formal written comments to this final version of the report.\n\n\n\n\n                          iii\n\x0c                                Audit of NRC\xe2\x80\x99s Integrated Personnel Security System\n\n\n\nABBREVIATIONS AND ACRONYMS\n\n       DFS     Division of Facilities and Security\n       IPSS    Integrated Personnel Security System\n       NARA    National Archives and Records Administration\n       NRC     Nuclear Regulatory Commission\n       OIG     Office of the Inspector General\n       OIS     Office of Information Services\n       OPM     Office of Personnel Management\n\n\n\n\n                            v\n\x0c                   Audit of NRC\xe2\x80\x99s Integrated Personnel Security System\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n               v\n\x0c                                                    Audit of NRC\xe2\x80\x99s Integrated Personnel Security System\n\n\n\nTABLE OF CONTENTS\n\n     EXECUTIVE SUMMARY......................................................................i\n\n     ABBREVIATIONS AND ACRONYMS ................................................ iv\n\n     I. BACKGROUND................................................................................1\n\n     II. PURPOSE .......................................................................................3\n\n     III. FINDINGS ......................................................................................3\n\n              A.      IPSS IS NOT FULLY FUNCTIONAL .........................................4\n\n              B.      DATA INACCURATE AND MISSING ..........................................8\n\n              C.      IPSS CHECKS ARE INADEQUATE ........................................13\n\n              D.      SYSTEM SECURITY MEASURES INADEQUATE OR MISSING .....16\n\n              E.      IPSS LACKS RECORDS DISPOSITION SCHEDULE .................20\n\n              F.      SIGNIFICANT ISSUES REMAIN..............................................22\n\n     IV. CONSOLIDATED LIST OF RECOMMENDATIONS ....................23\n\n     V. AGENCY COMMENTS .................................................................25\n\n     APPENDICES\n\n              A. SCOPE AND METHODOLOGY .........................................27\n\n              B. DETAILED IPSS DESCRIPTION .......................................29\n\n\n\n\n                                                  vi\n\x0c                Audit of NRC\xe2\x80\x99s Integrated Personnel Security System\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n              vii\n\x0c                                                           Audit of NRC\xe2\x80\x99s Integrated Personnel Security System\n\n\n\nI. BACKGROUND\n\n                  DFS administers NRC\xe2\x80\x99s facility and personnel security programs.\n                  Its responsibilities include:\n\n                  \xe2\x80\xa2    Making initial and continuing eligibility determinations\n                       concerning security clearances and access, and ensuring that\n                       all employees have security clearances in accordance with\n                       Atomic Energy Act requirements. 1\n\n                  \xe2\x80\xa2    Administering NRC\xe2\x80\x99s drug testing program, which tests\n                       designated NRC employees and applicants for the presence of\n                       illegal drugs.\n\n                  \xe2\x80\xa2    Physically protecting NRC facilities through the use of badge\n                       access and other systems.\n\n                  In September 2002, DFS contracted with PEC Solutions, Inc., to\n                  develop a new integrated computer system to support NRC\xe2\x80\x99s\n                  personnel and facility security programs. This new system, IPSS,\n                  was expected to replace the prior personnel security system and\n                  five other DFS security systems. One of the goals for IPSS was to\n                  integrate relevant security functions performed by these systems,\n                  such as badge management, classified visit tracking, personnel\n                  security tracking, and drug testing management. The integrated\n                  system would allow personnel security information to be entered\n                  once and then be available for each of these functions to draw\n                  from. (See Appendix B for more information on IPSS.) IPSS was\n                  to be Web-enabled and allow users access through the NRC\n                  Intranet. The contract anticipated system implementation by June\n                  2003 at a total contract cost of $386,850.\n\n\n\n\n1\n  Pursuant to the Atomic Energy Act of 1954, as amended, all NRC employees must have a security\nclearance; under NRC\xe2\x80\x99s system, employees receive either an L clearance, which equates to a Confidential\nor Secret clearance; a Q clearance, which equates to a Top Secret clearance; or an L(H) designation for\nemployees who hold high public trust positions. In addition, NRC requires contractors to have (1) a security\nclearance to work with classified information or in a position of high public trust, (2) IT access to work with\nNRC sensitive IT systems and information, or (3) building access to be permitted continuous unescorted\naccess within headquarters or regional office facilities (but not access to sensitive IT systems or\ninformation).\n                                                       1\n\x0c                                                        Audit of NRC\xe2\x80\x99s Integrated Personnel Security System\n\n\n\n                   Although IPSS was deployed on October 17, 2003, 2 and DFS staff\n                   use the system daily to manage the personnel and facility security\n                   programs, work to develop IPSS to meet initial contract\n                   requirements continues and the contract is in its seventh\n                   modification. Contract obligations thus far total $550,266.57 and\n                   DFS officials anticipate that up to $90,000 more will be needed to\n                   finish developing the system by a new target date of December\n                   2006.\n\n                   IPSS has 78 authorized users. See table 1 for a listing of users\n                   and their IPSS-related duties.\n\nTable 1\nJob Title (# of Staff in Category)                      Description of IPSS Duties\nProcessors (3)                                          Enter personnel security tracking data (e.g.,\n                                                        clearance type, dates of background investigations,\n                                                        personal history information) into IPSS and perform\n                                                        the bulk of IPSS data entry tasks.\nAdjudicators (6)                                        Review IPSS information as part of the\n                                                        clearance/access adjudication process, but rarely\n                                                        enter data.\nSecurity Guards (47)                                    Assign permanent and temporary badges to\n                                                        employees, contractors, and classified visitors.\n\n                                                        Assure that assigned badges are appropriate for the\n                                                        person\xe2\x80\x99s clearance or access level.\nFacility Security Specialists (5)                       Run quality assurance reports on access issues.\nOther Users (17)                                        Includes other DFS users, non-DFS staff who\n                                                        support IPSS, and agency managers who have\n                                                        been granted limited access to IPSS information due\n                                                        to their job responsibilities.\n\n\n                   For information security purposes, IPSS is classified as a major\n                   application. This Office of Management and Budget categorization\n                   means the system requires special attention to security due to the\n                   risk and magnitude of the harm that would result from the loss,\n                   misuse, or unauthorized access to or modification of the information\n                   in the application.\n\n                   IPSS contains records on approximately 21,500 individuals (active\n                   and inactive employees, contractors, consultants, licensees, and\n                   others).\n\n\n\n\n2\n  A DFS manager explained that for a period of time preceding this date, DFS was using both IPSS and the\npredecessor personnel security systems to store personnel security data, but that DFS stopped using one of\nthe major predecessor systems on October 17.\n                                                    2\n\x0c                                         Audit of NRC\xe2\x80\x99s Integrated Personnel Security System\n\n\n\nII. PURPOSE\n\n          The audit objective was to determine whether IPSS meets its\n          required operational capabilities. Appendix A contains information\n          on the audit scope and methodology.\n\n\nIII. FINDINGS\n\n          Although many IPSS users report that the system is easier to use\n          than its predecessor systems and provides more functionality, IPSS\n          does not perform in accordance with its required operational\n          capabilities. Specifically,\n\n          A. The system is not fully functional.\n\n          B. System data is inaccurate and missing.\n\n          C. System checks to ensure data accuracy and correspondence\n             between related data items are inadequate.\n\n          D. Security measures are inadequate or missing.\n\n          E. IPSS lacks a records disposition schedule.\n\n          These problems exist because NRC did not follow the agency\n          standard system development life cycle process and did not employ\n          adequate quality assurance measures over the system and its data.\n          As a result, some important system data is unreliable and the\n          system does not fully support the agency\xe2\x80\x99s personnel and facility\n          security programs as originally intended.\n\n          Given the extent of problems identified with IPSS and changes in\n          Federal personnel security requirements, the agency needs to\n          pursue all recommendations identified in this audit report, including\n          a summary recommendation to conduct a cost-benefit analysis to\n          determine the value of continuing to develop IPSS versus\n          purchasing an alternative product.\n\n\n\n\n                                     3\n\x0c                                        Audit of NRC\xe2\x80\x99s Integrated Personnel Security System\n\n\n\n\nA. IPSS IS NOT FULLY FUNCTIONAL\n\n         Despite contract requirements for the following system\n         functionalities, IPSS:\n\n          \xc2\x83   Does not provide a complete list of employees and contractors\n              due for clearance or access reinvestigation.\n\n          \xc2\x83   Does not provide drug testing management capabilities.\n\n          \xc2\x83   Has not provided reliable report-generating capabilities to\n              enable DFS staff to make quality assurance determinations.\n\n          \xc2\x83   Does not allow for the deletion of records.\n\n         These problems exist because the OIS project manager did not\n         follow the agency standard system development life cycle process,\n         and the system was deployed before development was complete.\n         As a result, DFS staff lack IPSS reports to ensure the effectiveness\n         of the security program, must maintain duplicate systems for drug\n         testing and badge management, cannot delete flawed records from\n         IPSS, and cannot determine with confidence when and at what cost\n         the system will be fully functional.\n\n         Required Functionalities\n\n         The IPSS contract and the IPSS project plan include specific\n         system functionalities required to support NRC\xe2\x80\x99s personnel and\n         facility security programs. These requirements include, among\n         others, a system capability to (1) alert DFS staff of all individuals\n         coming due for background reinvestigations; (2) allow DFS to\n         create and maintain drug testing records for NRC employees,\n         applicants, and selected contractors and to create and maintain a\n         drug testing pool of selected individuals; (3) provide users with\n         direct access to pre-defined reports to help manage the security\n         program; and (4) allow the capability to delete a personnel security\n         record.\n\n         Problems With Required Functionalities\n\n         Despite these system requirements, none of the four functionalities\n         listed above exist dependably within IPSS.\n\n\n\n\n                                    4\n\x0c                                                       Audit of NRC\xe2\x80\x99s Integrated Personnel Security System\n\n\n\n\n                          List of Individuals Due for Reinvestigation\n\n                 The IPSS Notifications Page, which is the IPSS report DFS uses to\n                 determine who needs to be reinvestigated for continued security\n                 clearance or access, does not identify all individuals whose data\n                 indicate they are due for reinvestigation. Auditors examined the\n                 IPSS records for 262 randomly selected employees and contractors\n                 and identified that 14 of these individuals had data indicating they\n                 were overdue for reinvestigation by up to 7 years. Yet, none of\n                 these individuals appeared on the Notifications Page and none had\n                 records indicating a request had been submitted by NRC to the\n                 Office of Personnel Management3 to initiate a reinvestigation.\n\n                 OIG provided this information to DFS staff, who acknowledged that\n                 IPSS was not identifying reinvestigations correctly from the\n                 database. Subsequently, DFS staff reviewed each of the 14 cases\n                 and determined that, in fact, not all of these individuals were\n                 overdue for reinvestigation. According to their assessment, one\n                 was overdue, four were terminated although this was not noted in\n                 IPSS, and the others were not overdue but appeared to be so\n                 because their data in IPSS was in error (see finding B for\n                 elaboration on IPSS data inaccuracies). A DFS manager stated\n                 that staff have since corrected these particular data inaccuracies\n                 within IPSS, initiated the reinvestigation process for the overdue\n                 individual, and intend to pursue correction of the underlying\n                 problem with the Notifications Page.\n\n                          Drug Testing Management\n\n                 IPSS\xe2\x80\x99 drug testing management functionality is inoperable and\n                 remains under development. Although this was one of the basic\n                 contract requirements for IPSS, DFS staff explained that the\n                 contractor has yet to implement this component. They said the\n                 contractor has been working closely with DFS staff to develop the\n                 component.\n\n                          Access to Reports\n\n                 A portion of IPSS\xe2\x80\x99 pre-defined reporting capability has never\n                 functioned properly, and even when the reports appear to be\n                 working, DFS staff expressed a lack of confidence about their\n                 accuracy. According to the contract and to the project plan, IPSS\n                 was to feature more than 50 pre-defined queries and reports to\n\n\n3\n  Most background investigations for NRC employees are conducted by the Office of Personnel\nManagement (OPM). The exception is the presidentially appointed Chairman, Commissioners, and\nInspector General, whose background investigations are conducted by the Federal Bureau of Investigation.\n                                                   5\n\x0c                                                           Audit of NRC\xe2\x80\x99s Integrated Personnel Security System\n\n\n\n                  allow users direct and timely access to information about the\n                  security program. IPSS was also supposed to provide an ad-hoc\n                  reporting capability to let users design new queries and reports and\n                  save them for future use. DFS staff said they need these reports to\n                  perform routine quality assurance checks of the security program.\n                  For example, the reports help to ensure that temporary badges\n                  issued have been returned each day, clearance type matches\n                  badge type, and contractors who are not permitted 24-hour access\n                  to NRC facilities are not gaining access during non-business hours.\n\n                  DFS staff said instead of using the IPSS reports, they make\n                  requests of the system administrator for the reports they need.\n                  They also rely on other systems, which IPSS was supposed to\n                  replace, to perform the reporting tasks that IPSS was intended to\n                  perform.\n\n                            Deletion of Records\n\n                  IPSS does not allow records to be deleted, therefore, flawed\n                  records must remain in the system until a request can be made to\n                  OIS database management staff to use a \xe2\x80\x9cback-door\xe2\x80\x9d approach to\n                  delete records via the database server. DFS staff said that\n                  although the IPSS contract and project plan state the system will\n                  allow the deletion capability, a former DFS manager who no longer\n                  works for NRC insisted the feature would pose a security risk and\n                  consequently the feature was not pursued. OIG contends that\n                  omitting this feature is problematic and there are preferable means\n                  to prevent misuse.4\n\n                  OIS Provided Insufficient Support\n\n                  These system problems exist because OIS has not provided\n                  essential and required support to DFS during the IPSS\n                  development process and because DFS staff deployed the system\n                  prematurely.\n\n                  According to both methodologies NRC has used over the past 4\n                  years to facilitate systems development, OIS is required to support\n                  the program offices. According to an OIS manager, the focus of the\n                  support has shifted from a more technical approach to more of an\n                  overall project management approach, but in either case OIS is\n                  required to assist offices throughout the development process.\n                  According to the OIS manager, the OIS employee assigned to help\n\n\n\n4\n One means would be to allow a single individual who is not a regular system user (such as the system\nadministrator or system security manager) to have this capability, and use audit trails to ensure the feature is\nused appropriately.\n                                                       6\n\x0c                              Audit of NRC\xe2\x80\x99s Integrated Personnel Security System\n\n\n\nDFS with IPSS did not follow the agency standard system\ndevelopment life cycle process. According to the manager, this\nemployee has since retired from NRC and a replacement was not\nassigned to assist DFS further.\n\nDFS managers recognized that IPSS was deployed prematurely\nand that more problems should have been resolved before making\nthe transition from the old systems to the new. At that time a\ndecision was made to utilize a partially completed system as the\nprior personnel security system was failing and data was corrupt.\nOne manager said the decision to deploy the system in 2003 was\nmade by two managers who no longer work in DFS and who were\nfocused on staying close to the implementation deadline.\n\nImpact on Security Program\n\nDue to the problems with IPSS, the system does not provide the\ndesired assurance that NRC is in compliance with security\nclearance and access reinvestigation requirements. In addition,\nDFS cannot provide effective oversight over the security program,\nthe office is forced to maintain security systems that IPSS was\nintended to replace, and users are confused by incorrect data\nrecords. Furthermore, the cost and time required to develop IPSS\ncontinues to escalate beyond initial expectations; current\npredictions anticipate the system will be completed by December\n2006.\n\nRecommendations\n\nOIG recommends that the Executive Director for Operations:\n\n1. Assign an Office of Information Systems project manager to\n   work closely with DFS for the remainder of the IPSS\n   development process.\n\n2. Correct the reinvestigations notifications report so that all\n   overdue cases are identified and submitted for reinvestigation.\n\n\n\n\n                          7\n\x0c                                    Audit of NRC\xe2\x80\x99s Integrated Personnel Security System\n\n\n\n\nB. DATA INACCURATE AND MISSING\n\n        Key information within the IPSS system is inaccurate, missing, or\n        incorrectly displayed. Of 262 files analyzed by OIG, 119 files\n        contained one or more data errors. These errors occurred because\n        DFS management did not provide users with adequate guidance\n        and have implemented inadequate quality control procedures.\n        Without accurate IPSS data, DFS cannot ensure that\n        reinvestigations are performed in a timely manner, as required.\n\n        Required Controls\n\n        In accordance with Federal requirements, Government managers\n        must implement effective management controls over their\n        programs. Office of Management and Budget Circular No. A-123,\n        \xe2\x80\x9cManagement\xe2\x80\x99s Responsibility for Internal Control,\xe2\x80\x9d states that\n        effective internal control provides reasonable assurance that\n        effective and efficient operations are being achieved. NRC\n        Management Directive 4.4, \xe2\x80\x9cManagement Controls,\xe2\x80\x9d states that\n        management controls should reasonably ensure programs achieve\n        their intended results and that reliable and timely information is\n        obtained, maintained, reported, and used for decisionmaking.\n\n        The NRC reinvestigation program is designed to ensure that NRC\n        employees and contractors receive the necessary background\n        investigations to support their continued eligibility for security\n        clearances and access assignments. Management Directive 12.3,\n        \xe2\x80\x9cNRC Personnel Security Program,\xe2\x80\x9d establishes that DFS will\n        initiate a reinvestigation every 5 years for Q and L(H) (high public\n        trust) clearances and every 10 years for L clearances and IT\n        access. According to a DFS manager, the 5 or 10 year period\n        begins when the most current investigation was closed by OPM,\n        provided that the investigation allowed the issuance or continuation\n        of a security clearance.\n\n        Information Is Inaccurate, Missing, and Incorrectly Displayed\n\n        Despite DFS reliance on IPSS, key information within the system is\n        inaccurate, missing, or incorrectly displayed. Specifically,\n\n                  \xc2\x83   Information used to track reinvestigations is\n                      inaccurate or missing.\n\n                  \xc2\x83   Other information within IPSS contains errors.\n\n                  \xc2\x83   Data concerning clearance status is incorrectly\n                      displayed.\n                                  8\n\x0c                                                         Audit of NRC\xe2\x80\x99s Integrated Personnel Security System\n\n\n\n\n                           Reinvestigation Data Inaccurate or Missing\n\n                  While IPSS is a tool for ensuring that reinvestigation requirements\n                  are met, key information within the system is inaccurate and/or\n                  missing. DFS staff rely on IPSS to track employees and\n                  contractors who need reinvestigations. Each day, IPSS generates\n                  and updates a Notifications Page that lists individuals coming due\n                  for a reinvestigation; this information is pulled by a program which\n                  relates to a field within IPSS called \xe2\x80\x9cdate of investigation.\xe2\x80\x9d This\n                  date of investigation field contains the date the last investigation\n                  was closed by OPM. An OIG analysis of this field found that 105\n                  out of 262 files5 randomly selected for review contained an error in\n                  this field. Of the 105 files with errors, 50 files were missing a date\n                  in the field. The other 55 files had an error in the date reflected in\n                  IPSS. The following figure illustrates this breakdown.\n\n\n                                           Date of Investigation Analysis\n                                     Date Incorrect                          Date Missing\n                                         21%                                     19%\n\n\n\n\n                                                                                  Date Correct\n                                                                                      60%\n\n\n\n                  In some cases, the data inaccuracies were due to different choices\n                  made by staff on which date to enter. For example, during a short\n                  period of time around 1997, reinvestigations were conducted for L\n                  clearances without sending paperwork to OPM. This\n                  reinvestigation, called a file and fingerprint check, consisted of\n                  running checks on fingerprints and searching law enforcement\n                  databases for any negative information. The adjudicator would\n                  then adjudicate the case based on this information and grant a\n                  continued clearance if the outcome was acceptable. When IPSS\n                  was implemented, DFS managers determined that for individuals\n\n5\n  OIG reviewed 262 personnel security files located within the DFS vault. Auditors randomly pulled active\nemployee and contractor files and compared the information within the paper file to the information within\nIPSS.\n                                                     9\n\x0c                              Audit of NRC\xe2\x80\x99s Integrated Personnel Security System\n\n\n\n\nwhose last reinvestigation was a file and fingerprint check, the date\nof investigation within IPSS should reflect the date the adjudicator\nsigned the paperwork. Of the 262 files OIG reviewed, 15 had file\nand fingerprint checks as the last reinvestigation. Of the 15 file and\nfingerprint checks, 10 contained errors in the dates. In 7 of these\n10 errors DFS staff entered the previous OPM investigation closed\ndate as the date of investigation within IPSS.\n\nAt DFS\xe2\x80\x99 request, OIG provided DFS with each of the error\nexamples listed above. According to a DFS manager, each\nexample was subsequently reviewed and corrections were made to\nIPSS and the paper files as appropriate.\n\n       Other Data Errors\n\nIn addition to errors in the date of investigation, there were other\ndata errors within IPSS. These occurred with social security\nnumbers, names, and clearance type. Of the 262 files OIG\nreviewed, 5 individuals had 2 IPSS files; one with the correct social\nsecurity number and one with an error in the number that cannot be\ndeleted from the system (see Finding A for more information on this\nissue). In addition, 11 files contained errors in either the first or last\nname, 3 files had errors in both the first and last name, and 5 files\ncontained inconsistencies in the clearance or access level.\n\n       Clearance Data Incorrectly Displayed\n\nData concerning clearance status is incorrectly displayed in IPSS.\nIPSS uses a split screen to track an individual\xe2\x80\x99s clearance history.\nThe left side tracks access (e.g., temporary access, IT access,\nbuilding access) and the right side tracks clearances (Q, L(H), or L).\nOIG\xe2\x80\x99s review of IPSS data found that in every instance where an\nemployee or contractor has been issued a clearance, information\nrelative to status (e.g., active, terminated, pending) was entered on\nthe access portion of the split screen. Processors explained that\nthis occurs because within IPSS there are mandatory fields that\nmust be entered before the new record will be accepted by the\nsystem. Subsequently, information appears on both the access\nand clearance sides of the screen when it should appear only on\nthe clearance side.\n\nOversight Is Inadequate\n\nKey information within IPSS contains errors because DFS\nmanagement did not provide users with adequate guidance and\nusers have created workarounds. In addition, quality control\nprocedures are not adequate.\n                            10\n\x0c                            Audit of NRC\xe2\x80\x99s Integrated Personnel Security System\n\n\n\n\n       Inadequate Guidance\n\nErrors within IPSS occurred because DFS lacks written guidance\nand effective quality control over the system. DFS has not provided\nusers with useful written guidance. Of 22 IPSS users interviewed\nby OIG, 14 said they never received written guidance. Four\nindividuals interviewed said that when IPSS was first implemented,\nthey received a user guide that the contractor created. This user\nguide was not updated as changes were made to the system and\ntherefore it is not applicable for how the system is currently used.\n\nIn addition, the processors, who are responsible for entering most\nof the information in IPSS, do not receive formal written notification\nof policy changes on how to enter information within the system.\nInstead, a DFS manager meets with the processors to convey\nchanges verbally. Sometimes the DFS manager follows up with an\ne-mail confirming the guidance.\n\n       User Workarounds\n\nClearance information in IPSS is incorrectly displayed because of a\ndesign flaw within IPSS that requires the completion of the access\ndate regardless of whether the record is for someone with a\nclearance or access. Due to this design flaw, DFS processors have\ncreated workarounds (enter clearance information in the access\nfields as well as the clearance fields) to allow them to enter records\nin the system.\n\n       Inadequate Quality Control Measures\n\nAnother reason for IPSS data errors is that DFS\xe2\x80\x99 quality control\nmeasures are ineffective. DFS currently has a quality control\nprocedure that includes two separate checks of system data. The\nfirst check is performed by the processors when an individual\nsubmits his or her paperwork to DFS to process for reinvestigation;\nat this point, the processors are responsible for checking the data\nwithin IPSS, including name, date of birth, and last investigation.\nThe adjudicator performs the second check upon receipt of an\ninvestigation to adjudicate; they check the same information that\nthe processor reviewed. Given the extent of data problems within\nIPSS, it is apparent that these measures are ineffective in ensuring\nthe correct information is within the database.\n\n\n\n\n                          11\n\x0c                             Audit of NRC\xe2\x80\x99s Integrated Personnel Security System\n\n\n\n\nImpact on Clearance Process\n\nMissing and inaccurate data within IPSS can lead to\nreinvestigations not being performed in a timely manner. If the date\nof investigation is incorrect, IPSS begins the reinvestigation\ncountdown at the incorrect date. In addition, when there is no date\nof investigation for an individual within IPSS, the Notifications Page\nwill never identify this individual as coming due for a reinvestigation.\n\nHaving inappropriate required fields within IPSS caused additional\ninformation to be added to the system. This additional information\ncan be incorrect or misleading to system users. For example,\nsome users appear to be terminated when they have an active\nclearance because of the required entries in the access section.\nThis could cause confusion for the security guards if the employee\nneeds a temporary badge.\n\nRecommendations\n\nOIG recommends that the Executive Director for Operations:\n\n3.   Develop and implement a consolidated data entry guide for\n     IPSS users and update it every 6 months or as needed.\n\n4.   Review and correct the most recent reinvestigation dates\n     within IPSS.\n\n5.   Change IPSS to eliminate the requirement to duplicate\n     clearance data within the system.\n\n6.   Eliminate data that was purposely duplicated as a workaround\n     in IPSS records for individuals with a clearance.\n\n7.   Perform top-to-bottom cleanup effort of every active file;\n     support this effort with clear written guidance as to what data\n     goes in what field.\n\n8.   Develop and implement an overall quality control approach to\n     ensure continued data accuracy.\n\n\n\n\n                           12\n\x0c                                                      Audit of NRC\xe2\x80\x99s Integrated Personnel Security System\n\n\n\n\n    C. IPSS CHECKS ARE INADEQUATE\n\n                 IPSS lacks required system checks to assure correspondence\n                 between (1) badge type and clearance type and (2) clearance type\n                 and investigation type. The system also lacks logical date checks\n                 to ensure data accuracy. These issues exist because problems\n                 with system checks were not identified during user acceptance\n                 testing and because too few checks were included in system\n                 requirements documents. This lack of checks could result in the\n                 disclosure of classified information to those unauthorized for such\n                 access; it has already resulted in the issuance of incorrect badges\n                 to two NRC employees and in IPSS data errors.\n\n                 Necessary System Checks\n\n                 Computer systems cannot effectively support business operations\n                 unless they include sufficient checks to (1) highlight illogical actions\n                 to prevent misapplication of the business operation\xe2\x80\x99s rules and (2)\n                 ensure that key data they process is accurate and reliable. To this\n                 end, the IPSS project plan stated that IPSS would:\n\n                 \xe2\x80\xa2    Ensure a correlation is made between clearance/access type\n                      and type of badge issued so that no one could be assigned a\n                      badge that was inappropriate to their clearance or access.\n\n                 \xe2\x80\xa2    Make appropriate notification if the investigation on record is\n                      insufficient for the clearance requested or issued.\n\n                 System Checks Are Missing\n\n                 IPSS is missing fundamental system checks to facilitate the correct\n                 application of DFS policies and to ensure data accuracy. Auditors\n                 tested both the production and test versions6 of IPSS for these\n                 checks and balances and found that neither version:\n\n                 \xe2\x80\xa2    Prevented the assignment of an inappropriate badge type.\n\n                 \xe2\x80\xa2    Ensured a correlation between investigation and clearance type.\n\n                 \xe2\x80\xa2    Prevented the entry of illogical dates.\n\n\n\n\n6\n  The production version of IPSS is the version that DFS is now using to support its daily operations. The\ntest version is the version the contractor has improved, based on required enhancements, but which has not\nbeen implemented for use on a daily basis.\n                                                   13\n\x0c                                                 Audit of NRC\xe2\x80\x99s Integrated Personnel Security System\n\n\n\n\n                Specifically, system tests conducted by OIG allowed the\n                authorization of a Q-clearance badge to employees without Q-\n                clearance status, allowed the authorization of an L-clearance badge\n                to employees without L-clearance status, and allowed the\n                authorization of clearances and badges to employees when there\n                was no corresponding investigation information entered in the\n                system.7\n\n                Furthermore, an analysis of 262 IPSS records revealed at least 8\n                examples of illogical date entries that, if flagged to users, could\n                have prompted correction of the dates, in turn, which would\n                increase the accuracy of IPSS data. These were cases where the\n                predictable chronological sequence of (a) sending a request for\n                investigation to OPM, (b) OPM\xe2\x80\x99s closure date for the investigation\n                (which, as noted previously, NRC uses to begin the countdown to\n                the next reinvestigation), and (c) the date NRC receives the case\n                back from OPM was obviously not reflected by the dates in IPSS.\n                In these cases, the date that NRC received the closed case from\n                OPM preceded the date the case was closed.\n\n                User Testing Was Inadequate\n\n                IPSS does not include basic system checks to prevent issuance of\n                wrong badges or assignment of inappropriate clearances because\n                user acceptance testing was inadequate to uncover the problems.\n                Date logic checks were not included in the IPSS contract or project\n                plan and consequently the contractor was not required to build\n                them into the system.\n\n                According to DFS staff who were involved in testing IPSS prior to\n                acceptance, they were not provided with formal instructions on how\n                to test the system and they did not apply a methodical approach to\n                see whether project plan requirements were included in the final\n                system. DFS staff said they tested the system by taking actions\n                they thought they would take as system users. A DFS manager\n                provided us with one PEC document, dated April 2004 (6 months\n                after DFS deployed IPSS), which contained general testing\n                suggestions but was not intended to test the full capabilities and\n                functions of IPSS.\n\n                DFS managers could not explain why date checks were not\n                included in the system; one manager recalled discussions that such\n                checks would be included, but did not know why they were not\n                issued as system requirements.\n\n7\n OIG conducted tests of the built-in system controls. Although the system allowed auditors to\nauthorize inappropriate badge assignments, none were actually issued as a result of the test.\n                                              14\n\x0c                            Audit of NRC\xe2\x80\x99s Integrated Personnel Security System\n\n\n\n\nRisks Posed By Missing Checks\n\nBecause IPSS lacks system checks to ensure that badges issued\ncorrespond to clearance type and that clearance type corresponds\nto investigation type, it is possible that an employee or contractor\nwill be given inappropriate access to classified information.\nFurthermore, two regional employees who had not received their\nsecurity clearances were mistakenly issued badges indicating they\nhad L clearances. These occurrences were identified by the\nregion\xe2\x80\x99s security officer and resolved before either individual came\ninto contact with classified information. Finally, system checks\nwould have prevented errors in OPM investigative case closing\ndates in cases where the case closed date entered in IPSS\npreceded the entry for the date the case was sent to OPM.\n\nRecommendations\n\nOIG recommends that the Executive Director for Operations:\n\n9.   Fix the planned controls to prevent incorrect badge issuance\n     and incorrect clearance assignment.\n\n10. Add date logic controls to ensure that OPM investigation dates\n    follow in logical chronological order.\n\n\n\n\n                          15\n\x0c                                                      Audit of NRC\xe2\x80\x99s Integrated Personnel Security System\n\n\n\n\n    D. SYSTEM SECURITY MEASURES INADEQUATE OR MISSING\n\n                 IPSS does not follow several important security practices outlined\n                 in its security plan, including assigning users with the least amount\n                 of access needed to perform their job, having the capability to\n                 identify when and how the system is used, and having users sign\n                 an integrity statement. IPSS security measures are inadequate\n                 because DFS managers performed ineffective oversight of system\n                 role assignments and were unaware of the risks posed by a lack of\n                 audit trails and an integrity statement. As a result of these\n                 shortcomings, personnel security information is vulnerable to\n                 misuse, both intentional and unintentional.\n\n                 System Security Requirements\n\n                 The IPSS security plan8 acknowledges that individuals authorized\n                 to have access to information systems potentially impose the\n                 greatest harm to those systems, both accidentally and intentionally.\n                 The IPSS security plan lists various security controls to prevent and\n                 detect harm to the system. These controls include least privilege\n                 and audit trails. Least privilege is the practice of restricting a user\xe2\x80\x99s\n                 access to data files and the levels of access (e.g., viewable and\n                 editable) to the minimum amount necessary to perform his or her\n                 job. According to the security plan, audit trails are used to monitor\n                 IPSS user activity. Audit trails are a record showing who has\n                 accessed the system and what operations he or she has performed\n                 during a given period of time. The security plan states that these\n                 mechanisms need to be implemented in order to improve the\n                 security of the system and the system data.\n\n                 In addition, the system security plan contains an integrity statement\n                 that provides guidelines for users on when and how to use IPSS.\n                 The security plan suggests that each user should sign this\n                 document to ensure that they know and understand their\n                 responsibilities.\n\n                 Several Security Practices Are Not Followed\n\n                 IPSS does not follow several important security practices outlined\n                 in its security plan. Specifically,\n\n\n\n\n8\n The Computer Security Act requires all Federal agencies to develop and implement a plan for the security\nand privacy of computer systems that contain sensitive information. In addition, the Act requires Federal\nagencies to review and update these plans every 3 years.\n                                                   16\n\x0c                             Audit of NRC\xe2\x80\x99s Integrated Personnel Security System\n\n\n\n\n\xe2\x80\xa2   Least privilege is not followed in that some users are allowed\n    too much access to the data, and other users have been\n    inappropriately assigned the wrong access type.\n\n\xe2\x80\xa2   IPSS does not contain audit trails.\n\n\xe2\x80\xa2   Users do not sign an integrity statement on appropriate use of\n    the system.\n\n       Least Privilege Not Followed\n\nThe least privilege principle was not followed for IPSS in that some\nroles allow too much access and others have been inappropriately\nassigned.\n\nIPSS allows users to have different levels of access to the system\nbased on the user being assigned one or multiple roles. These\nroles determine what screens the user can view and, within a\nscreen, what fields are viewable and/or editable. As of June 24,\n2005, IPSS had 12 roles that could be assigned to users. Through\nthese 12 roles, a total of 185 fields are viewable or editable. The\nrole with the most access to the system, security manager, allows\nusers to edit 154 fields and view all of the 185 fields within the\nsystem. The role with the least access, clearance viewer, allows\nthe user to view six fields, while the other roles allow varying levels\nof access between these two extremes. These roles were\ndesigned through a collaborative effort involving DFS managers\nand the system contractor, and the roles designed are detailed\nwithin the system security plan.\n\nOIG\xe2\x80\x99s analysis of roles and their associated screens and fields\nshowed that some fields allowed too many roles to access the\ninformation. According to the security plan and DFS managers,\nonly the guards, facility security personnel, and Security Branch\nChief need access to badge information, however IPSS allows the\ndrug manager and drug tester roles to view and edit this\ninformation.\n\nIn addition, IPSS users were assigned roles inappropriately based\non their job functions. A security guard, who is responsible for\nissuing temporary badges to employees and visitors, had the\nhighest level of access to IPSS. This level of access was designed\nfor the DFS managers and only two other users have this access;\nthey are both DFS managers. Furthermore, the role designated for\nsenior adjudicators has been inconsistently applied to those who\nhave that job responsibility. One senior adjudicator has the\nappropriate role, while another senior adjudicator has only the basic\n                           17\n\x0c                            Audit of NRC\xe2\x80\x99s Integrated Personnel Security System\n\n\n\n\nadjudicator role. In addition, there is a role in IPSS designed to\nallow users only to view clearances, yet this role has not been\nassigned to anyone. Furthermore, although the drug testing\nmodule is not currently functional, two IPSS users have been\ninappropriately assigned the drug tester and drug manager role.\nOne facility staff member has been assigned both the drug tester\nand drug manager role and a processor has been assigned the\ndrug tester role.\n\n       No Audit Trails\n\nIPSS does not contain functional audit trails and the system lacks\nthe ability to allow managers to track user activity and identify\nmisuse of the system. Although audit trails were required for\ninclusion in IPSS, DFS opted not to pursue this security measure.\nManagers recalled that the contractor expressed that adding audit\ntrails would be difficult and very costly. Although IPSS contains\nsome database level audit trails, this function is not used because it\nslows down the system to an unworkable level.\n\n       Integrity Statement Not Used\n\nThe lack of audit trails is compounded by the fact that users are not\nrequired to sign an integrity statement acknowledging appropriate\nuse of the system.\n\nOversight Is Ineffective\n\nIPSS security measures are inadequate because DFS managers\nperformed ineffective oversight of role implementation and\nassignment. In addition, managers are unaware of the risks posed\nby a lack of audit trails and failure to use an integrity statement.\n\nIPSS roles allow users to have too much access to the system\nbecause quality review procedures have been inadequate. After\nthe contractor delivered the designed roles, the IPSS administrator\nreviewed the roles to ensure that the access was correct. In\naddition, when new fields are added to IPSS the system\nadministrator is responsible for establishing what roles should be\nallowed access. These procedures were not successful to ensure\nthe roles had the appropriate access. Furthermore, DFS managers\ndo not perform periodic reviews on the role assignments to ensure\nthat users have the appropriate roles.\n\n\n\n\n                           18\n\x0c                            Audit of NRC\xe2\x80\x99s Integrated Personnel Security System\n\n\n\n\nIPSS lacks an audit trail capability because DFS managers were\nunaware of the risk to the system without this technical security\nmeasure. The system contractor stated that creating audit trails\nwould be a complicated process and DFS managers made the\ndecision not to pursue creating audit trails within the system. DFS\nmanagers made this decision based on the projected cost to\ndevelop audit trails and because their office is small and they felt\nthat the potential for harm to the system is minimal. DFS managers\nwere unaware of the need for an integrity statement, although it is\nmentioned within the security plan.\n\nPersonnel Security Information Is At Risk\n\nPersonnel security information is at risk because appropriate\nsecurity measures over access to the system and its data are not in\nplace to prevent misuse. Some users have too much access to\nIPSS information, which increases the risk to the quality of the IPSS\ndata. The risk to the data is compounded because there are no\nmeasures in place to ensure users are using the system\nappropriately.\n\n Recommendations\n\nOIG recommends that the Executive Director for Operations:\n\n 11. Redefine IPSS user roles in accordance with least privilege\n     requirements.\n\n 12. Review role assignments annually and make appropriate\n     adjustments.\n\n 13. Add audit trail capabilities to IPSS.\n\n 14. Review audit trail reports monthly to ensure appropriate use\n     of IPSS.\n\n 15. Require future IPSS users to sign an integrity statement\n     before being granted access to the system. Also require\n     existing users to sign an integrity statement.\n\n\n\n\n                          19\n\x0c                                     Audit of NRC\xe2\x80\x99s Integrated Personnel Security System\n\n\n\n\nE. IPSS LACKS RECORDS DISPOSITION SCHEDULE\n\n        IPSS lacks a records disposition schedule because OIS failed to\n        inform DFS of this need during the system development process.\n        As a result, the system is not in compliance with Federal records\n        retention requirements.\n\n        Records Disposition Requirements\n\n        All Federal records require a records disposition schedule which\n        defines the actions that must be taken when the records are no\n        longer needed for Government business. All disposition schedules\n        must be approved by the National Archives and Records\n        Administration (NARA). Personnel security clearance records are\n        covered by NARA General Records Schedule 18-22a, which states\n        that the paper files need to be destroyed when an employee or\n        contractor dies or not more than 5 years after the employee\n        separates from an agency or the contract relationship expires.\n\n        Electronic records are covered by General Records Schedule 20-\n        3a, which states that electronic versions of records scheduled for\n        disposal under the personnel security requirements are to be\n        deleted after the expiration of the authorized retention period for the\n        paper records, or when no longer needed, whichever is later.\n\n        No IPSS Records Disposition Schedule\n\n        DFS lacks a records disposition schedule for IPSS. A DFS\n        manager explained that even though the paper records must be\n        destroyed, it is useful to retain electronic records because there are\n        occasions when employees or contractors return to NRC after 5\n        years and it is useful to have a historical record when adjudicating\n        these individuals for clearance or access. The manager was\n        unaware that a records disposition schedule was needed.\n\n        When asked to elaborate on what DFS needs to do to ensure\n        compliance with Federal records retention requirements, an OIS\n        records manager explained that DFS must develop a schedule and\n        process for IPSS records disposition that is worked into its\n        operating procedures and into an IPSS user guide.\n\n        DFS Was Unaware of Requirement\n\n        IPSS lacks a records disposition schedule and associated\n        implementation plans because OIS failed to inform DFS of this\n        need during the system development process. According to an OIS\n        manager, the need for a records disposition schedule would\n                                 20\n\x0c                            Audit of NRC\xe2\x80\x99s Integrated Personnel Security System\n\n\n\n\ntypically be identified when an office first approaches OIS to begin\nplanning for a system. The manager said there are measures\ncurrently in place to ensure that these steps occur.\n\nNRC Is Noncompliant With Records Requirement\n\nWithout an IPSS records disposition schedule and a process to\nensure it is followed, NRC is not in compliance with Federal records\nretention requirements.\n\nRecommendations\n\nOIG recommends that the Executive Director for Operations:\n\n 16. Develop a records disposition schedule for IPSS and\n     incorporate it into DFS procedures and the IPSS users\n     manual.\n\n\n\n\n                          21\n\x0c                                    Audit of NRC\xe2\x80\x99s Integrated Personnel Security System\n\n\n\n\nF. SIGNIFICANT ISSUES REMAIN\n\n         It has been more than 2 years since IPSS was deployed by DFS for\n         routine use in support of the agency\xe2\x80\x99s security programs, yet\n         significant problems remain. These problems pertain to the\n         system\xe2\x80\x99s lack of functionality, inaccuracies in system data, missing\n         system checks, and ineffective security measures, which, taken\n         together, jeopardize the agency\xe2\x80\x99s ability to efficiently manage its\n         personnel and facility security programs.\n\n         The contract to develop IPSS is now in its seventh modification and\n         DFS managers anticipate that up to $90,000 more will be needed to\n         finish developing the system by a new target date of December\n         2006. Given the previous complications in fulfilling the system\n         design requirements, there is no assurance that the system will\n         perform satisfactorily even 1 year from now.\n\n         OIG recommends that the Executive Director for Operations:\n\n          17. Conduct a cost-benefit analysis to determine whether the\n              agency should continue to develop IPSS versus replacing\n              the system. As part of the cost-benefit analysis consider\n              current Federal personnel security requirements.\n\n\n\n\n                                   22\n\x0c                                      Audit of NRC\xe2\x80\x99s Integrated Personnel Security System\n\n\n\n\nIV. CONSOLIDATED LIST OF RECOMMENDATIONS\n\n        1. Assign an Office of Information Systems project manager to\n           work closely with DFS for the remainder of the IPSS\n           development process.\n\n        2. Correct the reinvestigations notifications report so that all\n           overdue cases are identified and submitted for reinvestigation.\n\n        3. Develop and implement a consolidated data entry guide for\n           IPSS users and update it every 6 months or as needed.\n\n        4. Review and correct the most recent reinvestigation dates within\n           IPSS.\n\n        5. Change IPSS to eliminate the requirement to duplicate\n           clearance data within the system.\n\n        6. Eliminate data that was purposely duplicated as a workaround\n           in IPSS records for individuals with a clearance.\n\n        7. Perform top-to-bottom cleanup effort of every active file; support\n           this effort with clear written guidance as to what data goes in\n           what field.\n\n        8. Develop and implement an overall quality control approach to\n           ensure continued data accuracy.\n\n        9. Fix the planned controls to prevent incorrect badge issuance\n           and incorrect clearance assignment.\n\n        10. Add date logic controls to ensure that OPM investigation dates\n            follow in logical chronological order.\n\n        11. Redefine IPSS user roles in accordance with least privilege\n            requirements.\n\n        12. Review role assignments annually and make appropriate\n            adjustments.\n\n        13. Add audit trail capabilities to IPSS.\n\n        14. Review audit trail reports monthly to ensure appropriate use of\n            IPSS.\n\n\n\n                                   23\n\x0c                           Audit of NRC\xe2\x80\x99s Integrated Personnel Security System\n\n\n\n\n15. Require future IPSS users to sign an integrity statement before\n    being granted access to the system. Also require existing users\n    to sign an integrity statement.\n\n16. Develop a records disposition schedule for IPSS and\n    incorporate it into DFS procedures and the IPSS users manual.\n\n17. Conduct a cost-benefit analysis to determine whether the\n    agency should continue to develop IPSS versus replacing the\n    system. As part of the cost-benefit analysis consider current\n    Federal personnel security requirements.\n\n\n\n\n                         24\n\x0c                                  Audit of NRC\xe2\x80\x99s Integrated Personnel Security System\n\n\n\nV. AGENCY COMMENTS\n\n       At an exit conference held on December 22, 2005, NRC officials\n       generally agreed with the report\xe2\x80\x99s findings and recommendations\n       and provided comments concerning the report. In addition, they\n       stated that they were aware of problems with IPSS prior to\n       receiving the draft report. We modified the report as we determined\n       appropriate. NRC reviewed these modifications and opted not to\n       submit formal written comments to this final version of the report.\n\n\n\n\n                                25\n\x0c                Audit of NRC\xe2\x80\x99s Integrated Personnel Security System\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n              26\n\x0c                                   Audit of NRC\xe2\x80\x99s Integrated Personnel Security System\n\n\n                                                                          Appendix A\nSCOPE AND METHODOLOGY\n\n       Auditors reviewed IPSS to determine if the system meets its\n       required operational capabilities.\n\n       The OIG audit team reviewed relevant criteria, including\n       Management Directive 12.3, \xe2\x80\x9cNRC Personnel Security Program\xe2\x80\x9d;\n       OMB Circular No. A-123, \xe2\x80\x9cManagement\xe2\x80\x99s Responsibility for Internal\n       Control\xe2\x80\x9d; OMB Circular No. A-130, \xe2\x80\x9cManagement of Federal\n       Information Resources\xe2\x80\x9d; NUREG-0910, \xe2\x80\x9cNRC Comprehensive\n       Records Disposition Schedule\xe2\x80\x9d; and NARA\xe2\x80\x99s \xe2\x80\x9cGeneral Records\n       Schedule.\xe2\x80\x9d The audit team also reviewed system documentation,\n       including the IPSS contract, security plan, project plan, training\n       plan, data conversion plan, contingency plan, and users guide.\n\n       Auditors interviewed DFS and other Office of Administration staff\n       responsible for the system to understand the development and\n       management of the system. Auditors interviewed IPSS users,\n       including adjudicators, facility security staff, processors, and\n       security guards to determine user satisfaction with the system.\n       Auditors also interviewed OIS staff to learn about support OIS\n       should provide to IT system development projects and about\n       agency records retention policy.\n\n       Auditors compared information from the paper personnel security\n       records to the corresponding data within IPSS to assess the\n       accuracy of IPSS information and whether the system was\n       capturing individuals due for reinvestigation. Auditors reviewed a\n       total of 262 personnel security files for both NRC employees and\n       contractors. Auditors also conducted tests of the live and\n       production versions of IPSS to assess system data controls.\n\n       This work was conducted from May 2005 through October 2005, in\n       accordance with generally accepted Government auditing\n       standards and included a review of management controls related to\n       audit objectives. The work was conducted by Beth Serepca, Team\n       Leader; Judy Gordon, Audit Manager; Rebecca Underhill,\n       Management Analyst; and Christopher Lange, Summer Intern.\n\n\n\n\n                                 27\n\x0c                Audit of NRC\xe2\x80\x99s Integrated Personnel Security System\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n              28\n\x0c                                                                                                                   Audit of NRC\xe2\x80\x99s Integrated Personnel Security System\n\n\n                                                                                                                                                                                                              Appendix B\nDETAILED IPSS DESCRIPTION\n\n      The following chart, which appears in the contractor\xe2\x80\x99s IPSS design\n      review document, illustrates how IPSS was intended to be used within\n      NRC.\n\n\n                                                                                                                                                                                      Co\n                            es\n                        let                                                           Re\n                                                                                                                                                                                          m\n                                                                                                                                                                                      S e p le\n                      mp urit y                                                          v                                        ws                                                           t\n                    o\n                   C e  c      s           Forms                                      Fo iews                                  vie s                                    Forms        Fo cur it es\n                      S o rm                                                            rm                                   Re orm                                                     rm y\n                        F                                                                  s                                   F                                                          s\n\n                                                      Requ\n                                                           e   st Mo                                                                                       o        re Info\n                                                                       re In                                                                        es t M\n                                                                               fo                                                              Requ\n       Clearance                                                                                                                                                            r ms                     Classified\n                                                                                                                                                              mit       s Fo\n       Applicant                                                                                                                                         S ub                                         Visitor\n                                       Prov id\n                                              e More                                                                                                                           fo\n                                                     Info                                                                                                                ore In\n                Submits                                                                                                                                             ide M\n                                                                                                                                                                Prov\n                 Forms\n                                                                                                                                 Requ est Ch\n                                                                                                                            Provide Ch            ecks\n                                                                s                                                                          ecks Resu                                               NCIC,\n                                                            o rm                                                                                         lts\n                                                       ds F                                 Processor/Adjudicator                                                                               Credit, PIPS,\n                                                    war                                                                       R\n                                                Fo r                                                                     P ro equ es                                                            DCII Checks\n                                                                                                                             vid       t In v\n                                                                                                                                e In          estig\n                                                                                                                                     ves            atio\n                                                                                                       Enter Applicant/                  t ig a          n\n                                                                                                                                               tion\n                                                                                            Various    Visitor Information                          Re\n                                                                                                                                                       s ul                                             OPM\n                                                                                       Notifications                                                        ts\n         Human Resources                                                                                                                                                                            Investigation\n                                                                                                                      Enter Checks/\n                                                                                                                      Investigation Information\n                       Drug Test\n      Drug\n                       Candidate Pool\n      Test\n                                                                                                                                                                           tion\n                                                                                                                                                          al Notifica\n                                                                                                                                        Interim/F in\n                                                    tification                                                                                                      oval\n                                    Drug Te st No                                                                                                      /F inal Appr\n                                                         sults                                                                             Interim\n                                        Drug Te st Re                                                                                                                                           Adjudication\n                                      es t Ra ndom Dr ug                                                                                                                                        Management\n                                 Requ              tes\n                                   Te st Cand idaRandom\n                                                            Dr ug Test                                             IPSS                            P ers\n                                                                                                                          In\n\n\n\n\n                                                                 Li st                                                                                     o n Im\n                                                      andi dates\n                                                                                                                             t\n\n\n\n\n                                                                                                                                                                 a ge\n                                                                                                                           er\n\n\n\n\n             Drug Testing Office                  C\n                                                                                                                             im\n                                                                                                    on n\n\n\n\n\n                                                                                                                               /P\n                                                                                                No tion\n\n                                                                                                             tio\n\n\n\n\n                                                                                                                                  er\n                                                                                                                                   Ba\n                                                                                                         ica\n                                                                                                        ca\n\n\n\n\n                                                                                                                                     m\n                                                                                                                                      dg\n\n                                                                                                                                      an\n                                                                                                    t if\n                                                                                                    ifi\n                                                                                                 ot\n\n\n\n                                                                                                a ti\n\n\n\n\n                                                                                                                                        en\n                                                                                                                                         eI\n                                                                                              rN\n\n\n\n                                                                                           orm\n\n\n\n\n                                                                                                                                          tB\n                                                                                              n\n\n\n\n\n                                                                                                                                           nfo\n                                                                                            to\n\n                                                                                           so\n\n\n\n\n                                                                                                                                                                                   NRC File Server\n                                                                     si\n\n\n\n\n                                                                                                                                             ad\n                                                                                       In f\n                                                                                         r\n\n\n\n\n                                                                                                                                               rm\n                                                                   Vi\n\n\n\n\n                                                                                                                                                                                                         Pe\n                                                                                Pe\n\n\n\n\n                                                                                                                                                ge\n\n\n\n\n                                                                                                                                                                                                            r\n                                                                  ed\n\n\n\n\n                                                                                                                                                 at i\n\n\n\n\n                                                                                                                                                                                                        Im so n\n                                                                                    ge\n                                                                             d\n\n\n\n\n                                                                                                                                                   No\n                                                               ifi\n\n\n                                                                          te\n\n\n\n\n                                                                                                                                                     on\n\n\n\n\n                                                                                                                                                                                                          ag\n                                                                                 ad\n                                                            ss\n\n\n                                                                          a\n\n\n\n\n                                                                                                                                                                                                              e\n                                                                                                                                                      tifi\n                                                                       in\n                                                          la\n\n\n\n\n                                                                                                                                                        &\n                                                                               yB\n\n\n\n\n                                                                                                                                                           ca\n                                                                    rm\n                                                         C\n\n\n\n\n                                                                                                                                                            Im\n\n\n\n                                                                                                                                                             t io\n                                                                            rar\n                                                                 Te\n\n\n\n\n                                                                                                                                                                 ag\n\n\n\n                                                                                                                                                                  n\n                                                                         po\n\n\n\n\n                                                                                                                                                                    e\n                                                                                m\n                                                                             Te\n\n\n\n\n                                                                                                                                                                                                  ge\n                                                                                                                                                                                              Ima\n                                                                                                                                                                                        son\n                                                                                                                                                                                     Per                 PICS/ACCESS\n\n                                                                                                                                                 t\n                                                                                                                                               en\n                                                      Guard Post                                                                             an            Badge Station\n                                                                                 Te B a\n\n\n\n\n                                                                                                                                            m\n                                                                                                                                         er\n                               e y\n\n\n\n\n                                                                                   m dg\n                            dg rar\n\n\n\n\n                                                                                                                                       /P dge\n                                                                                    po e\n                          Ba po\n\n\n\n\n                                                                                                                                    rim a\n                                                                                       ra\n                             m\n\n\n\n\n                                                                                                                                  te B\n                                                                                          ry\n                          Te\n\n\n\n\n                                                                  G                                                          In\n                                                  y                ra\n                                            i li t                    n\n                                          ac                      Ac t F a\n                                      nt F ess                       ce ci\n                                    ra c                                ss lity\n                                   G Ac\n\n\n             Classified                                                                                       Clearance\n              Visitor                                                                                         Applicant\n\n\n\n\n      The IPSS Overall Project Plan, dated February 2003, described the\n      following objectives for IPSS:\n\n      The objective of this project is to develop an efficient, accurate, and\n      reliable system that meets its functional requirements and replaces the\n      current personnel security software. The IPSS will\n\n                                                                                                           29\n\x0c                                     Audit of NRC\xe2\x80\x99s Integrated Personnel Security System\n\n\n\n\xe2\x80\xa2   track all personnel security processing activities related to the\n    approval or denial of an employment clearance and access\n    authorization;\n\n\xe2\x80\xa2   track unescorted contractor access to NRC facilities;\n\n\xe2\x80\xa2   track due process procedures (denial, revocation, suspension and\n    termination of employment clearance or access authorization);\n\n\xe2\x80\xa2   provide reporting capabilities;\n\n\xe2\x80\xa2   track outgoing visits of NRC employees;\n\n\xe2\x80\xa2   provide a \xe2\x80\x9ctickler\xe2\x80\x9d system to alert staff when follow-up action is\n    required;\n\n\xe2\x80\xa2   provide data input along with the images of staff to serve as a\n    badging verification system;\n\n\xe2\x80\xa2   provide for data consistency, confidentiality, integrity and\n    authentication;\n\n\xe2\x80\xa2   promote efficient data sharing by consolidating personnel security\n    activities into one integrated system;\n\n\xe2\x80\xa2   track drug testing activities;\n\n\xe2\x80\xa2   provide random selection and tracking of drug program participants;\n\n\xe2\x80\xa2   provide multiple drug testing reports;\n\n\xe2\x80\xa2   generate standard memos approving or denying access letter\n    authorizations;\n\n\xe2\x80\xa2   generate email capability to notify facility security staff of access\n    authorizations; and\n\n\xe2\x80\xa2   provide Ad Hoc reporting capabilities.\n\nIPSS will promote more efficient data sharing by consolidating\npersonnel security activities into one integrated system.\n\n\n\n\n                                30\n\x0c'